Can you suggest how to implement grace period

Article Id: 143720
Status: Published
Updated On: 24-01-2020 08:37
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On Agents (SiteMinder) , SITEMINDER , CA Single Sign On Federation (SiteMinder) , CA Single Sign On SOA Security Manager (SiteMinder) , SITEMINDER
Issue/Introduction:

 

We're running API Gateway integrated with Layer7 SiteMinder, and we'd
like to know how to implement the grace period for the SMSESSION cookie ?

Is there a way to do it ?

 

Environment:

API Gateway 9.4

SiteMinder 12.7

Resolution:

 

At first glance, Layer7 SiteMinder uses an ACO to control the grace
period for the SMSESSION cookie to be renew, in order to avoid that
"the agent waits from the last accessed time of the received session
cookie before it generates a new session cookie".

  Session Grace Period and Update Period Settings

    SessionGracePeriod  

    Specifies the number of seconds the agent waits from the last
    accessed time of the received session cookie before it generates a
    new session cookie. Set the SessionGracePeriod to 0 to disable the
    setting. If the setting is disabled, the agent updates session
    cookies for every request.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes.html

As you know already, the Api Gateway only support 9 ACO at the moment :

  Fetch ACO Properties to the Gateway Policy for Composing SMSESSION
  Cookie with SSOToken

    The following list of ACO parameters compose the SMSESSION cookie string:

     ATTR_ACO_SSOZoneName constitutes SSOZoneName property
     ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
     ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
     ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
     ATTR_ACO_UseSecureCookies is used to indicate secure flag
     ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

     Note: Except for the above ACO parameters, Gateway does not use
     any other ACO parameters.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html

At time of writing this note (2020-01-24), this ACO isn't disponible
for API Gateway.

In order to get the Layer7 SiteMinder ACO parameter SessionGracePeriod
implemented for API Gateway, we invite you to submit an Enhencement
Request (Idea) on the Broadcom page :

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "Layer7 Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enahcement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted !